CAS 7 SAML1.1 with delegation to Azure AD

[jbstowe22]

We have a few old vendor apps that use SAML 1.1 and those are working fine with our cas 6.6.x instance that is delegating to Azure/Entra AD.

We recently spun up a test instance of CAS 7 and those apps seem to reject the ticket from CAS 7 when being delegated to Azure (they work when not being delegated). I believe it has to do with the url parameter CAS sends after receiving the Azure delegation response. In CAS 6.6 it sends the SAMLart url parameter:

?SAMLart=ST-

But in CAS 7 it sends a ticket param:

?ticket=ST-

It almost seems if CAS forgets it is using SAML 1.1 after the delegation is complete. Anybody else experience this or know if there's some config we are missing in CAS 7 causing this?

Thanks!

[jbstowe22]

Quick update, I did some testing and discovered it's not CAS 7 that changed the functionality, it was actually CAS 6.6.14. I believe it's something about this commit, https://github.com/apereo/cas/commit/2b367835ed22478eb853a267760869a1d2eaf3ae, that changed how it works. I am most definitely not a Java developer so I can't decipher exactly whats happening.

Thanks!

[Dan S]

Did you find a solution to this issue? I am running into it now. Oddly it seems that it only uses ?ticket on the first login attempt. If you've already authenticated and then revisit, it'll use the correct ?SAMLart parameter.

Dan